Passwords Can Sit on Hard Disks for Years

CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "

Hehe

[mgs1000]

It looks like some reporter just discovered the page file. :)

Re:Hehe

[Reziac]

That was my thought too...

Back in the Win3.1x era, when the typical swapfile was still small enough to peruse with a hex editor, I cruised through my permanent swapfile with LIST, just to see what was being dumped out of RAM. I found data in there that was identifiably over 3 years old. And therein, I also found some passwords archived -- as plaintext.

Not to mention logfiles; I have some that stretch back several years, and I'm sure I'm not alone.

So I don't find this exactly "news" either. Then again, I could turn this into a rant on the "expertise" of the typical tech journalist... (one of my PC maintenance clients is one. Regular exposure has given me a complete lack of respect for the breed.)

Re:Hehe

[Jokkey]

The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."

Re:Hehe

[Mortoc]

The fact that a password can sit on a hard drive is really irrevelent. If someone has access to your hard drive, they might as well just set up a keylogger and wait till you access a bank account or something, that would be much easier than wading through hundreds of megabytes of swap. This security hole is almost completely irrevelent, the only time that I would worry about something like that is when throwing away a a computer (which should be recycled anyway). Someone interested enough could go through your trash, removed an old hard drive and start snooping around.

Re:Hehe

[operagost]

Too bad he didn't discover the setting in Windows XP that clears the pagefile on shutdown. Instead, he plays programmer and suggests that only a few measly lines of code will fix the problem; and no one will mind the huge performance hit because computers are so fast already.

Even if you aren't running Windows, other OSes like OS/2 will recreate a fresh pagefile on every boot.

Zero the data

[Lord+Grey]

One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with - something he [Tal Garfinkel] says could be done with just a few extra lines of code in application programs.

My company worked on a project a few years ago that required this very thing. It wasn't just passwords, though: The customer demanded that all data passing through the applications be wiped as soon as possible.

The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.

Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.

The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.

BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).

Re:Zero the data

[Lord+Grey]

Can you really be sure that the data is wiped? What if the memory is swapped to a page file or swap partition, later swapped back into memory and then you only erase what's in the RAM?

You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.

Well, we can always do like in MacGyver

[192939495969798999]

My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.

The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?

Re:Well, we can always do like in MacGyver

[paiste404]

dont question the macgyver. this is the same man who once picked an electronic lock with half-full wine glasses and a canary. you will accept the macgyver and you'll like it.

Ultimate solution

[desplesda]

Let's just do a brain scan of everyone. I mean, you can forge fingerprints, voice prints, etc, but you can't beat a mind probe!

Untrue

[frs_rbl]

Passwords don't sit on hard disks. It's more like under mouse pads

talk about hacker sophistication...

P2P

It's amazing how easy it is to find people's password files shared on P2P apps like DirectConnect, Gnutella, etc. There's everything - Total Commander (FTP), WS FTP, mail clients, you just have to search for the proper file name.

Self-Expiring Password Hardware

[Nuclear+Elephant]

Store all your passwords on a burned CD, that way they'll have a shelf-life of 3-5 years tops.

Repairs

[pubjames]

One thing that worries me is sending machines away to get repaired.

I have a Sony Vaio laptop which I had to send to be repaired. I phoned the support number to tell them I was going to take the hard disc out before sending it. They said that if I did I would be charged for a new hard disc (at a hugely inflated price) and they wouldn't repair it without one.

I once sent a PC for repair and the teenage dork who repaired it actually said I had some great games on my machine and that he had played them. In another case in the UK, some padeophile was caught (was it Garry Glitter?) when he sent his PC in for repair. Now, I'm all for catching kiddie fiddlers, but that is not the way to do it.

I don't want the repair staff looking through the stuff on my hard disc. There should be a standard industry guarantee that this won't happen, or a privacy law about it or something.

Encrypt your disk

[PSUspud]

When I read the headline, I was alarmed. But
then I read the article, and all my worries went away.
I encrypt my swap partition, and that fixes the problem.

It's not hard, and since it's swap (i.e., data
you don't need for very long), you don't even need
to remember a password (your computer uses a random
one every time is sets up the swap). Really, it's
pretty easy -- see the HOWTO at http://www.tldp.org/HOWTO/Disk-Encryption-HOWTO/
and keep your goatsex links and pictures confidential.